Download Item:

Abstract:

This is a report of an audit of Revenue carried out by the Office of the Data Protection Commissioner on a number of dates between November 2008 and May 2009.
Revenue was selected for audit in the light of its status as a major public sector holder of personal data on individuals. Much of this data is provided in circumstances where the individual has no choice but to supply this information, in accordance with taxation legislation, if they wish to make a declaration of income or apply for a tax credit or relief.
The Office of the Data Protection Commissioner acknowledged from the outset of the audit process the strong and extensive legal powers facilitating the capture and disclosure of information to Revenue as an entity. In addition, Section 8(b) of the Data Protection Acts 1988 & 2003 provides a broad set of exemptions regarding the processing of personal data for the assessment or collection of tax. Notwithstanding this, these exemptions are subject to a prejudice test in each case.
The audit of Revenue conducted by the ODPC focused on ascertaining and verifying the exact legal basis for each data transfer, the means by which such information is disclosed to Revenue and the channels deployed for any outward bound disclosures. Of paramount concern, the Office of the Data Protection Commissioner sought evidence and assurance of the safe and secure transmission of all personal data contained in these transfers. In addition, internal Revenue repositories for the storage and retention of large volumes of personal data were examined in detail in order to assess the efficacy of the policies and procedures in place to safeguard the data held by Revenue.